Will Plankey lead CISA to victory?

Dave Bittner

You're listening to the Cyberwire Network powered by N2K.

Rocco D'Amico

We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed. Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see.

Dave Bittner

It first and it works.

Rocco D'Amico

Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed. Plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need.

Dave Bittner

The White House names their nominee for CISA's top spot patch Tuesday Updates Apple issues emergency Updates for a zero day WebKit vulnerability researchers highlight advanced MFA bypassing techniques. North Korea's Lazarus group targets cryptocurrency, wallets and browser data. Our guest today is Rocco D'Amico of Brass Valley, discussing hidden risks in retired devices and making sense of the skills gap paradox. It's Wednesday, March 12th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Hello again and thank you for joining us. It is great to have you with us today. Sean Planke, a former cybersecurity official in the Trump administration, has been nominated to lead the Cybersecurity and Infrastructure Security Agency. His nomination is under Senate review. A U.S. coast Guard veteran, Planky previously served in key cybersecurity roles at the Department of Energy and National Security Council, earning a Bronze Star for offensive cyber operations in Afghanistan. Until recently, he led cybersecurity efforts at Indigo Vault. CISA faces criticism with some lawmakers questioning its mission scope. Supporters praise Planke's expertise, citing his focus on risk reduction and national security. He advocates for stricter cloud security regulations and reciprocity in cyber policy. Planky has emphasized reducing reliance on adversarial nations for critical infrastructure. Meanwhile, a former CISA penetration Tester claims his 100 person team was cut after Elon Musk's DOGE unit canceled their contract. Christopher Chenoweth says Doge also axed another Red team, leaving many cybersecurity experts jobless. Doge, the federal cost cutting advisory group, has targeted multiple DHS contracts. Meanwhile, the EI isac, a key election security initiative, shut down after DHS funding was cut, and the Ms. ISAC faces similar risks. Experts warn these cuts weaken cybersecurity for elections and local governments. Microsoft's March 2025 Patch Tuesday update fixes 57 vulnerabilities, including 70 days, six of which were actively exploited. The patches address privilege escalation, remote code execution, security bypass, and information disclosure flaws. One critical zero day allows local attackers to gain system privileges via a race condition in the Windows Win32 kernel. Two NTFS vulnerabilities let attackers extract sensitive data using a malicious USB drive. A publicly disclosed zero day is an RCE flaw in Microsoft Access. Critical RCE vulnerabilities impact Windows Remote Desktop Services, Microsoft Office DNS, and the Windows subsystem for Linux. The NTFS and FAT flaws are particularly concerning as they enable malware delivery via crafted virtual hard disk files. Security experts urge immediate patching, especially for Office vulnerabilities, to mitigate exploitation risks. Other vendors, including Cisco, Google and Fortinet have also issued March security updates. Siemens and Schneider Electric have issued their March 2025 Patch Tuesday ICS security advisories addressing multiple vulnerabilities. Schneider Electric warns of a critical flaw in EcoStruxure that allows command execution if the default password isn't changed, along with authentication bypass and sensitive data exposure issues. Siemens patched 11 advisories, including a bootloader flaw in Sinemix S200, privilege escalation in Cipass controllers, and authentication bypass vulnerabilities in multiple products. OpenVPN and BIOS vulnerabilities were also fixed. CISA released two ICS advisories highlighting critical flaws in Optigo Network's capture tools and Apache Schneider electric unitelway driver vulnerability. Security experts urge immediate updates to protect industrial systems from exploitation. CISO has also issued an urgent advisory for a critical vulnerability in Microsoft Windows Management Console that allows remote code execution. Attackers exploit improper input sanitization, enabling lateral movement, data theft, or malware deployment. Federal agencies Must patch by April 2nd. Microsoft released an out of band patch on March 10th, 2025. Organizations should apply updates immediately, restrict MMC access via firewall rules and monitor for exploitation. Systems with exposed MMC services are at high risk. While not confirmed in ransomware attacks, its network based attack vector makes it dangerous. CISA urges private organizations to prioritize patching and adopt zero trust architectures to prot against future threats. Apple has issued emergency security updates to patch a zero day WebKit vulnerability actively exploited in targeted attacks. The flaw, an out of bounds right issue, allows malicious Web content to escape the Web content sandbox, potentially enabling unauthorized actions. The update affects iOS, iPad, OS, Mac OS, Safari Vision OS and TVOs. Apple warns that the vulnerability was used in sophisticated attacks on older iOS versions. This is Apple's third zero day fix in 2025, following similar patches in January and February. Users should update immediately to mitigate risks as Apple has not disclosed attacker details or targets. Adversaries are exploiting advanced MFA bypassing techniques to gain unauthorized access to accounts, manipulating authentication workflows rather than breaking authentication factors. Researchers at Quark's lab discovered that attackers exploit timing vulnerabilities and session token manipulation to trick systems into believing MFA was successfully completed. A particularly dangerous technique involves intercepting and modifying authentication response data, injecting JavaScript code to alter session flags before MFA verification is finalized. These attacks are hard to detect, leaving minimal forensic evidence, and often appear as legitimate authentication events. The vulnerability primarily affects systems that separate authentication and resource servers, creating gaps attackers exploit during network latency or error conditions. Experts recommend continuous MFA validation and cryptographically signed session tokens to prevent unauthorized modifications. Users should monitor accounts for suspicious activity despite MFA being enabled. Researchers have identified six malicious NPM packages linked to the Lazarus Group, a North Korean hacking collective. These typo squatting packages, downloaded 330 times, aim to steal credentials, deploy backdoors, and extract cryptocurrency data. The Socket research team linked this attack to previous Lazarus supply chain operations seen on NPM, GitHub, and PyPi. The malware targets cryptocurrency wallets and browser stored data. It also loads Beavertail and Invisible Ferret backdoors. All six packages remain active, and developers are urged to scrutinize dependencies for suspicious activity. Coming up after the break, my conversation with Rocco D'Amico from Brass Valley discussing the hidden risks in retired devices, plus making sense of the skills gap paradox. Stay with us.

Rocco D'Amico

Cyber threats are more sophisticated than ever.

Dave Bittner

Passwords.

Rocco D'Amico

They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps, while businesses invest in network security. They often overlook the front door. The login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats Upgrade your security today. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.

Dave Bittner

My guest today is Rocco D'Amico from Brass Valley. Our conversation centers on the hidden risks in retired devices and reducing data breach threats.

Sean Planke

Well, there's two aspects to that. One is businesses and the other aspect is just individual computer users. I think individual computer users at your house, I think some people think you can just do an F disk or something like that and erase the data. But in reality you're really not getting the data and erasing it. You should try to find a competent resource that can help you recycle and destroy data. You probably can get those through Best Buy or companies like that business. From the business side, people don't. Some people do a good job and other people don't do a good job. I think that what we find is in, in, in data centers, as people move to the cloud, one of the things that gets overlooked is hidden media. And folks will do a really good job at identifying where the hard drives are and they will do a good job typically of erasing or ph destroying the hard drives. But when it comes to other areas that store data, they get missed and they get missed by the people that are actually doing the work in terms of doing the data destruction. Because what happens is in data center they use servers and they use arrays. And what happens is arrays for a long time have Built, been built for speed and self healing. And that means there's some types of buffer memory inside those arrays. And typically it's not where the user, where the drives reside, it's usually in a different spot. And so if you're not looking for it, it's so easy to miss. But it still contains all the data that goes on the hard drive. So we find that's one of the gaps that folks miss in this process, particularly with data centers.

Dave Bittner

That's interesting. I mean, I've seen some raids and.

Rocco D'Amico

Arrays have combinations of spinning hard drives and SSDs.

Dave Bittner

I would imagine that's similar to what you're talking about.

Sean Planke

It is, it is. And it's harder to identify them now because there are SSDs. But you really have to know the architecture of the system to really do a thorough job. And so for example, some of the software won't work on some of the other types of drives or some of the other media. So you just have to know what you're doing to be able to make sure you get everything.

Rocco D'Amico

Can you give us some idea of.

Dave Bittner

What you all consider best practices to be as an organization is turning over equipment?

Rocco D'Amico

What's the baseline they should be thinking about?

Sean Planke

Yeah, so you're going, ultimately your goal is to have a complete chain of custody. So that starts with understanding what you have and having a strong inventory list of what you have. Then reconciling that inventory list against the list that your ITAD provider gives you, that gives you forensic proof that data was destroyed. And you also want to be able to show the movement of the equipment. You want to be able to show a build lighting that shows the equipment going from your facility to the vendor's facility. And you also, ideally, in a perfect world, you want to see where it goes after that because they may be reselling it and they may be sending it downstream for recycling. And to have that complete cradle to grave chain of custody, you'd want to be able to document all those aspects of the process.

Dave Bittner

Well, that brings up a good question.

Rocco D'Amico

Here, which is if I'm shopping around for someone to help me with these recycling tasks, what sort of questions should I be asking?

Sean Planke

Have you had any security incidents? Would be a good one, because there's more out there than you think. I guess I would ask to look at their reporting and see what their reporting is comprised of. As I said before, a complete chain of custody is going to show the movement of the equipment, not just, not just a certificate of destruction or a certificate of recycling. You're going to want to be able to see the movement of the equipment. And one of the reasons behind that is that, is that in my view electronics is considered universal waste. Many of the electronics devices that we handle are classified as universal waste. And the universal waste classification is one that, that if it treats universal waste is really kind of hazardous waste, but it's not exactly treated like that until something goes wrong. So if you handle hazardous waste, you really have to have a chain of custody that shows the movement of the equipment. And so we think that it's best practice to have that for the electronics industry as well. So I would look at the chain of custody and see what they can give you. And that's because it's so important. Because if something goes wrong, that's really your only defense is how good your chain of custody or your documentation is.

Rocco D'Amico

How can an organization go through and figure out where they're doing well and.

Dave Bittner

Where they have weaknesses?

Sean Planke

I think it's important to reconcile the documentation that you get back with your existing lists. I think once. And one step beyond that I think is what we've done internally is we've established high reliability practices in our, in our organization because in high reliability was originally developed by the nuclear industry. It's. It was a place where if something goes wrong, it really is catastrophic and it's to prevent just human errors. And it start it was developed in nuclear and then it was adopted by the airline industry and then by the healthcare industry. So if you've ever gone to the hospital, the doctors and they're asking you questions two or three times like are you Rocco D'Amico? And you say yes, I am. And they check your date of birth. That's two way cross checks. If you've been on a plane and just before they lift, just before they take off, you'll hear the pilot say, crosscheck complete. That's all high reliability practices so that way things don't fall through the cracks. So I think as an initiative in an organization, if you really want to get tight and you've got otherwise solid processes and you want to eliminate individual errors in the human error effect, that would be a direction I would look.

Rocco D'Amico

How about just the sort of human factor of it's easy to put things off, right? Many a time have I wandered into the IT team's inner sanctum and there's.

Dave Bittner

A pile of equipment sitting in the.

Rocco D'Amico

Corner or a stack of laptops and you move from one location to another and, and we're all busy and we've.

Dave Bittner

All Got stuff to do.

Rocco D'Amico

It's understandable to me how things like that can be put off. How do you put in a framework.

Dave Bittner

Or checklists or whatever you need to.

Rocco D'Amico

Do to make sure that those things just don't stack up to the point.

Dave Bittner

Where they become a problem?

Sean Planke

I find that we'll see situations like the one you described more often than not, not based on the culture of the organization. So it really is an entire cultural attitude, the way people look at data security. So once they're aware of it, if many of the banks that I work with, you won't find that, you just won't find it. So I believe it's a culture. It's a culture thing because everybody's got to be aware of it and everybody has to be on board with that. I don't know if there's a checklist you can make that does that.

Dave Bittner

Right, right.

Rocco D'Amico

So, yeah, that's very interesting. The cultural component that I guess it's an expectation company wide.

Sean Planke

Absolutely, absolutely. And this is high reliability helps here too, because it gives people away. Like if you walk in that room, you could say without fear that you were going to burn a bridge or hurt somebody's feelings, like, hey, Steve, I notice you've had those laptops here. I just wanted to remind you it's our policy to do this. And high reliability give you a mechanism to brace that with Steve first and then if Steve doesn't respond, you can raise it to the next level. And nobody's going to get offended because the goal is data security. I mean, that's the ultimate goal. And we're all supposed to be pulling in that same direction.

Rocco D'Amico

When you're working with people and onboarding them, getting them up to speed, are there common misunderstandings that you come up against regularly?

Sean Planke

I think, yeah, I think there is. I think people really don't understand the guys we deal with it guys. They understand what goes on inside the firewall, but outside the firewall, which is where I live, they don't understand it as well. And so there is a level of education, as I said before, like in terms of chain of custody, why we do the things that we do, what we can do to help you reduce the cost of the process, things like that. There is an educational process that goes on, but data security usually inside their building is usually pretty tight. But once it gets outside of our, once it gets outside their fire wall or gets off network, that's when the human processes have a larger sway in what happens and it's just not necessarily their sweet spot.

Dave Bittner

That's Rocco D'Amico from Brass Valley.

Sean Planke

Foreign.

Rocco D'Amico

Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Delete Me. I have to say, Delete Me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeletMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deletemo Me now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.

Dave Bittner

And finally, the tech industry finds itself in a bit of a bizarre paradox. IT leaders can't find skilled workers, yet graduates in computer science and data science can't land jobs. It's like a dating app where everyone swipes left the issue Employers want job ready recruits but don't want to train them. Automated hiring systems favor keyword stuffed resumes, entry level jobs demand senior level experience, and companies lean on underpaid interns instead of hiring full time staff. Meanwhile, cybersecurity teams are especially guilty 31% employ no entry level pros at all. Post Covid layoffs flooded the job market with experienced workers, making things even harder for fresh grads. Plus, budgets are tight, salaries uncompetitive, and companies are hoarding trusted employees instead of hiring new ones. Software development, cloud AI and cybersecurity are in demand, but not if you want fair pay. It's not all bad news. The data shows that for graduates, this hiring freeze might be temporary, but for employers, the skills gap seems to be here to stay. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Rocco D'Amico

And now a message from our sponsor Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools, it's time to rethink your security. Zscaler Zero Trust AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler. Com Security.